[pmwiki-devel] AuthUser farm security

Patrick R. Michaud pmichaud at pobox.com
Fri Nov 24 18:37:13 CST 2006 

On Fri, Nov 24, 2006 at 03:13:39PM -0600, JB wrote:
> Just learned that when logged into one wiki using AuthUser, you
> have access to all Wiki's in that farm which also use AuthUser.

This is true only when all of the wikis in the farm have
the same domain name.

> These two pages seem to have similar information in them,
> but I feel they should be combined into one page.
> 
>    http://www.pmwiki.org/wiki/PmWiki/AuthUser
>    http://www.pmwiki.org/wiki/Cookbook/AuthUser

I agree -- we've been wanting to combine them for
some time but it's been difficult to find the time/energy
to take care of it.

> This page has some information at the very bottom
> using php code    session_name('XYZSESSID');
> 
>    http://www.pmwiki.org/wiki/PmWiki/Passwords
> 
> This page has some information near the bottom with the
> heading "Ugh - Authentication Sessions and Farms".  It suggests
> two ways, using a different user group for each farm or using
> php code    $CookiePrefix = substr($tmp = md5(__FILE__), 0, 5).'_';
> 
>    http://www.pmwiki.org/wiki/Cookbook/AuthUser
> 
> So of the three methods above, which is the best?

Only the session name approach really separates things fully.
The user group approach isn't very clean, and somehow I don't think
the $CookiePrefix approach will work at all.  

Another (likely) approach will be to move the session files
themselves into a separate directory for each wiki.  This
has some other small advantages, especially on Windows servers.

> Is there a way to make this more automatic? In the setup
> documentation can we change it so that by default Authuser
> will automatically have someone set this up to be secured
> and they would have to customize it to make it open?

The problem isn't specific to AuthUser, it happens for
any PHP setup where multiple sites appear under the same 
domain name.  It happens even if the sites aren't
part of the same wikifarm, and even if AuthUser isn't being
used (in which case the passwords entered on one site
are treated as having been entered on the other).  It just
has to do with the way that PHP makes session files available
to all applications running on a single server.

Still, if we can come up with a good way for each wiki on
a server to receive a unique identifier that it can use for
the session cookie, that would probably resolve things for
most people.

Pm

More information about the pmwiki-devel mailing list